CVE-2024-57914

{"id": "CVE-2024-57914", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-01-19T12:15:25.573", "references": [{"url": "https://git.kernel.org/stable/c/8586d6ea623e48b2bd38304bbc52b0b8228816ff", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/862a9c0f68487fd6ced15622d9cdcec48f8b5aaa", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpci: fix NULL pointer issue on shared irq case\n\nThe tcpci_irq() may meet below NULL pointer dereference issue:\n\n[ 2.641851] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010\n[ 2.641951] status 0x1, 0x37f\n[ 2.650659] Mem abort info:\n[ 2.656490] ESR = 0x0000000096000004\n[ 2.660230] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 2.665532] SET = 0, FnV = 0\n[ 2.668579] EA = 0, S1PTW = 0\n[ 2.671715] FSC = 0x04: level 0 translation fault\n[ 2.676584] Data abort info:\n[ 2.679459] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[ 2.684936] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 2.689980] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 2.695284] [0000000000000010] user address but active_mm is swapper\n[ 2.701632] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n[ 2.707883] Modules linked in:\n[ 2.710936] CPU: 1 UID: 0 PID: 87 Comm: irq/111-2-0051 Not tainted 6.12.0-rc6-06316-g7f63786ad3d1-dirty #4\n[ 2.720570] Hardware name: NXP i.MX93 11X11 EVK board (DT)\n[ 2.726040] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 2.732989] pc : tcpci_irq+0x38/0x318\n[ 2.736647] lr : _tcpci_irq+0x14/0x20\n[ 2.740295] sp : ffff80008324bd30\n[ 2.743597] x29: ffff80008324bd70 x28: ffff800080107894 x27: ffff800082198f70\n[ 2.750721] x26: ffff0000050e6680 x25: ffff000004d172ac x24: ffff0000050f0000\n[ 2.757845] x23: ffff000004d17200 x22: 0000000000000001 x21: ffff0000050f0000\n[ 2.764969] x20: ffff000004d17200 x19: 0000000000000000 x18: 0000000000000001\n[ 2.772093] x17: 0000000000000000 x16: ffff80008183d8a0 x15: ffff00007fbab040\n[ 2.779217] x14: ffff00007fb918c0 x13: 0000000000000000 x12: 000000000000017a\n[ 2.786341] x11: 0000000000000001 x10: 0000000000000a90 x9 : ffff80008324bd00\n[ 2.793465] x8 : ffff0000050f0af0 x7 : ffff00007fbaa840 x6 : 0000000000000031\n[ 2.800589] x5 : 000000000000017a x4 : 0000000000000002 x3 : 0000000000000002\n[ 2.807713] x2 : ffff80008324bd3a x1 : 0000000000000010 x0 : 0000000000000000\n[ 2.814838] Call trace:\n[ 2.817273] tcpci_irq+0x38/0x318\n[ 2.820583] _tcpci_irq+0x14/0x20\n[ 2.823885] irq_thread_fn+0x2c/0xa8\n[ 2.827456] irq_thread+0x16c/0x2f4\n[ 2.830940] kthread+0x110/0x114\n[ 2.834164] ret_from_fork+0x10/0x20\n[ 2.837738] Code: f9426420 f9001fe0 d2800000 52800201 (f9400a60)\n\nThis may happen on shared irq case. Such as two Type-C ports share one\nirq. After the first port finished tcpci_register_port(), it may trigger\ninterrupt. However, if the interrupt comes by chance the 2nd port finishes\ndevm_request_threaded_irq(), the 2nd port interrupt handler will run at\nfirst. Then the above issue happens due to tcpci is still a NULL pointer\nin tcpci_irq() when dereference to regmap.\n\n devm_request_threaded_irq()\n\t\t\t\t<-- port1 irq comes\n disable_irq(client->irq);\n tcpci_register_port()\n\nThis will restore the logic to the state before commit (77e85107a771 \"usb:\ntypec: tcpci: support edge irq\").\n\nHowever, moving tcpci_register_port() earlier creates a problem when use\nedge irq because tcpci_init() will be called before\ndevm_request_threaded_irq(). The tcpci_init() writes the ALERT_MASK to\nthe hardware to tell it to start generating interrupts but we're not ready\nto deal with them yet, then the ALERT events may be missed and ALERT line\nwill not recover to high level forever. To avoid the issue, this will also\nset ALERT_MASK register after devm_request_threaded_irq() return."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: typec: tcpci: soluciona el problema del puntero NULL en el caso de irq compartida. La funci\u00f3n tcpci_irq() puede encontrarse con el siguiente problema de desreferencia de puntero NULL: [2.641851] No se puede gestionar la desreferencia de puntero NULL del kernel en la direcci\u00f3n virtual 0000000000000010 [2.641951] estado 0x1, 0x37f [2.650659] Informaci\u00f3n de aborto de memoria: [2.656490] ESR = 0x0000000096000004 [2.660230] EC = 0x25: DABT (EL actual), IL = 32 bits [2.665532] SET = 0, FnV = 0 [2.668579] EA = 0, S1PTW = 0 [ 2.671715] FSC = 0x04: error de traducci\u00f3n de nivel 0 [ 2.676584] Informaci\u00f3n de cancelaci\u00f3n de datos: [ 2.679459] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 2.684936] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 2.689980] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 2.695284] [0000000000000010] direcci\u00f3n de usuario pero active_mm es intercambiador [ 2.701632] Error interno: Oops: 0000000096000004 [#1] PREEMPT SMP [ 2.707883] M\u00f3dulos vinculados en: [ 2.710936] CPU: 1 UID: 0 PID: 87 Comm: irq/111-2-0051 No contaminado 6.12.0-rc6-06316-g7f63786ad3d1-dirty #4 [ 2.720570] Nombre del hardware: Placa NXP i.MX93 11X11 EVK (DT) [ 2.726040] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 2.732989] pc : tcpci_irq+0x38/0x318 [ 2.736647] lr : _tcpci_irq+0x14/0x20 [ 2.740295] sp : ffff80008324bd30 [ 2.743597] x29: ffff80008324bd70 x28: ffff800080107894 x27: ffff800082198f70 [ 2.750721] x26: ffff0000050e6680 x25: ffff000004d172ac x24: ffff0000050f0000 [ 2.757845] x23: ffff000004d17200 x22: 0000000000000001 x21: ffff0000050f0000 [ 2.764969] x20: ffff000004d17200 x19: 0000000000000000 x18: 0000000000000001 [ 2.772093] x17: 0000000000000000 x16: ffff80008183d8a0 x15: ffff00007fbab040 [ 2.779217] x14: ffff00007fb918c0 x13: 0000000000000000 x12: 000000000000017a [ 2.786341] x11: 0000000000000001 x10: 0000000000000a90 x9 : ffff80008324bd00 [ 2.793465] x8 : ffff0000050f0af0 x7 : ffff00007fbaa840 x6 : 0000000000000031 [ 2.800589] x5 : 000000000000017a x4 : 0000000000000002 x3 : 0000000000000002 [ 2.807713] x2 : ffff80008324bd3a x1 : 00000000000000010 x0 : 0000000000000000 [ 2.814838] Rastreo de llamadas: [ 2.817273] tcpci_irq+0x38/0x318 [ 2.820583] _tcpci_irq+0x14/0x20 [ 2.823885] irq_thread_fn+0x2c/0xa8 [ 2.827456] irq_thread+0x16c/0x2f4 [ 2.830940] kthread+0x110/0x114 [ 2.834164] ret_from_fork+0x10/0x20 [ 2.837738] C\u00f3digo: f9426420 f9001fe0 d2800000 52800201 (f9400a60) Esto puede suceder en el caso de irq compartido. Por ejemplo, dos puertos Tipo-C comparten un irq. Despu\u00e9s de que el primer puerto termin\u00f3 tcpci_register_port(), puede activar la interrupci\u00f3n. Sin embargo, si la interrupci\u00f3n llega por casualidad, el segundo puerto termina devm_request_threaded_irq(), el controlador de interrupci\u00f3n del segundo puerto se ejecutar\u00e1 primero. Entonces, el problema anterior ocurre debido a que tcpci sigue siendo un puntero NULL en tcpci_irq() cuando se desreferencia a regmap. devm_request_threaded_irq() &lt;-- port1 irq viene deshabilitar_irq(client-&gt;irq); tcpci_register_port() Esto restaurar\u00e1 la l\u00f3gica al estado anterior a el commit (77e85107a771 \"usb: typec: tcpci: support edge irq\"). Sin embargo, mover tcpci_register_port() antes crea un problema cuando se usa el irq de borde porque tcpci_init() se llamar\u00e1 antes que devm_request_threaded_irq(). tcpci_init() escribe ALERT_MASK en el hardware para indicarle que comience a generar interrupciones, pero a\u00fan no estamos listos para lidiar con ellas, entonces los eventos ALERT pueden perderse y la l\u00ednea ALERT no se recuperar\u00e1 al nivel alto para siempre. Para evitar el problema, esto tambi\u00e9n establecer\u00e1 el registro ALERT_MASK despu\u00e9s del retorno de devm_request_threaded_irq()."}], "lastModified": "2025-01-31T15:19:21.703", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CAA666EC-CF76-46C6-AE86-951E128D4C0A", "versionEndExcluding": "6.12.10", "versionStartIncluding": "6.12"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "62567B3C-6CEE-46D0-BC2E-B3717FBF7D13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5A073481-106D-4B15-B4C7-FB0213B8E1D4"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DE491969-75AE-4A6B-9A58-8FC5AF98798F"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "93C0660D-7FB8-4FBA-892A-B064BA71E49E"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "034C36A6-C481-41F3-AE9A-D116E5BE6895"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8AF9DC49-2085-4FFB-A7E3-73DFAFECC7F2"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}